Unix Comp-145 L ECTURE 11: U NIX ’ S N ETWORKING T OOLS B ASED ON : S. D AS, “Y OUR U NIX : T HE ULTIMATE G UIDE ”, 2 ND E DITION, M C G RAW H ILL, 2006

Unix Comp-145

LECTURE 11: UNIX’S NETWORKING TOOLS

BASED ON: S. DAS, “YOUR UNIX: THE ULTIMATE GUIDE”, 2ND EDITION, MCGRAW HILL, 2006

CHAPT 14

BROOKDALE COMMUNITY COLLEGE 112/09/2009 rwj

BROOKDALE COMMUNITY COLLEGE 2

NETWORKING TOOLS

• INTRO TO TCP/IP• MAPPING DOMAIN NAMES TO IP ADDRESSES: /etc/hosts & DNS

• COMMUNICATION ACROSS SYSTEMS: CLIENT/SERVER• TESTING CONNECTIVITY USING ping• USE OF telnet FOR REMOTE LOGIN• USE OF SECURE SHELL (ssh) FOR REMOTE LOGIN• WHY NEED CRYPTOGRAPHY?• USE AND LIMITS OF ftp

12/09/2009 rwj


Intro to TCP/IP

• TRANSFER CONTROL PROTOCOL OVER INTERNET PROTOCOL– Initially developed on and for UNIX platform– AROUND SINCE 1983– A PACKET SWITCHING SYSTEM, NO DEDICATED CONNECTIONS

BETWEEN SENDER AND RECEIVER– TCP’S STANDARD = IETF’S RFC 793 (+RFC1323, RFC2581, ETC.)– IP’S STANDARD = IETF’S RFC 791 (+RFC 1826, 1853, 2549, 3768, ETC)

• PACKETS – EACH PACKET CONTAINS A PACKET SEQUENCE NUMBER, A

CHECKSUM, PLUS A HEADER THAT CONTAINS AT LEAST A SENDER ADDRESS & ONE OR MORE RECIPIENT ADDRESSES.

– TRANSFERRED THROUGH NETWORK VIA ROUTERS – INTELLIGENT DEVICES THAT INSPECT EACH PACKET AND DECIDE WHAT TO

DO NEXT (DELIVER PACKET LOCALLY OR FORWARD IT TO ANOTHER ROUTER.)


Intro to TCP/IP (Cont’d)

• HOST NAMES AND IP ADDRESSES– HOST = COMPUTER IN NETWORK– HOST IDENTIFIED BY hostname VALUE– 2 FORMS OF HOST NAME:o SIMPLE

sodapop o FULLY QUALIFIED DOMAIN NAME (FQDN)

sodapop.brookdalecc.edu

– hostname COMMAND REVEALS THE HOST NAME OF THE COMPUTER



• HOST NAMES AND IP ADDRESSES (CONT’D)

– EACH NETWORKED HOST ASSIGNED A NETWORK UNIQUE IP ADDRESS. o SET OF 4 DOT DELIMITED OCTETS, I.E., EACH OCTET

REPRESENTS A SEQUENCE OF 8 BITS OR 1 BYTE.o MAX VALUE OF EACH OCTET IS 255o FOR ROUTING EFFICIENCY, EACH IP ADDRESS IS

DIVIDED INTO A PREFIX AND A SUFFIX PREFIX IDENTIFIES NETWORK TO WHICH COMPUTER

IS ATTACHED SUFFIX IDENTIFIES NETWORK COMPUTER IS WITHIN



• HOST NAMES AND IP ADDRESSES (CONT’D)

– LIKE FQDN’S AN IP ADDRESS IS HIERARCHICAL– ONLY IP ADDRESSES ARE CONSIDERED ROUTABLE.– FULLY QUALIFIED DOMAIN NAMES MUST BE

CONVERTED TO IP ADDRESSES FOR A ROUTER TO EVALUATE.

– RESOLUTION OF FQDNS TO IP ADDRESSES PERFORMED BY “RESOLVER”

BROOKDALE COMMUNITY COLLEGE 7

• /etc/host– HOLDS NAME TO ADDRESS MAPPINGS IN SMALL

NETWORKS.– FILE OFTEN CALLED HOST FILE.– SYNTAX: IP_ADDRESS

$ cat /etc/host::1 localhost localhost.brookdalecc.edu127.0.0.1 localhost localhost.brookdalecc.edu

– 127.0.0.1 = LOCAL (LOOP-BACK) ADDRESS.

• SOMETIMES USED BY SYSTEM ADMINISTRATORS TO STOP SITES THAT ATTEMPT TO REDIRECT THEIR REQUESTS.

• CONSIDERED A DEAD-END ADDRESS, BUT SOME MALICIOUS CODE CAN RUN SERVICES ON THE LOOPBACK ADDRESS

12/09/2009 rwj

MAPPING DOMAIN NAMES TO/FROM IP ADDRESSES

– USED IN LARGER NETWORKS, – DB THAT PROVIDES NAME TO ADDRESS MAPPING

SERVICE. – HOSTNAMES ORGANIZED HIERARCHICALLY.– DISTRIBUTED DB COMPRISED OF VARIOUS HOSTS ON

THE INTERNET AND VARIOUS DOMAINS– DELEGATION OF AUTHORITY AT INDIVIDUAL LEVELS IN

HIERARCHY.– THREE MAIN COMPONENTS OF DNS

• RESOLVER (MAPS A NAME TO AN IP ADDRESS)• NAME SERVER • DATABASE OF RESOURCE RECORDS (RRS)


DNS: DOMAIN NAME SYSTEM



frint

Partial DNS Hierarchy



– TOP LEVEL DOMAINS: IMMEDIATELY SUBORDINATE TO ITS “.” ROOT

– DOMAIN IS A LABEL OF THE DNS TREE. – EACH NODE ON THE DNS TREE REPRESENTS A DOMAIN.– DOMAIN NAME REPRESENTS AN ENTITY'S POSITION

WITHIN THE STRUCTURE OF THE DNS HIERARCHY– DOMAINS UNDER THE TOP-LEVEL DOMAINS REPRESENT

INDIVIDUAL ORGANIZATIONS OR ENTITIES

DOMAINS EXPLAINED



– DELEGATION OF AUTHORITY TO INDIVIDUAL LEVELS IN HIERARCHY, FALLS TO ORGANIZATION’S NETWORK ADMIN.

– ZONE = GROUP OF DOMAINS AND SUB-DOMAINS FOR WHICH AN ORGANIZATION HAS AUTHORITY

DOMAINS EXPLAINED



COMMUNICATION ACROSS SYSTEMS

– ONE ENTITY MAKES A REQUEST, ANOTHER PARTY SERVICES THE REQUEST

CLIENT-SERVER PARADIGM

Client Server

Request

Response


COMMUNICATION ACROSS SYSTEMS

– SERVER PROGRAMS IN UNIX CALLED DAEMONS. • RUN IN BACKGROUND• LISTEN FOR INPUT FROM CLIENTS• EXAMPLES:

– httpd – LISTENS FOR REQUESTS FOR WEB-PAGES– sendmail – HANDLES E-MAIL– inetd – HANDLES FTP AND TELNET REQUESTS

– ping – DOES NOT NEED A SERVER.

CLIENT-SERVER PARADIGM IN UNIX


COMMUNICATION ACROSS SYSTEMS (cont’d)

• SERVERS COMMUNICATE VIA PORTSo PORT IDs (numbers) DIVIDED INTO 3 RANGES:

FROM 0 THROUGH 1023 = WELL KNOWN PORTS FROM 1024 THROUGH 49151 = REGISTERED PORTS FROM 49152 THROUGH 65535 = DYNAMIC AND/OR PRIVATE

PORTSo “PORTS ARE USED IN THE TCP [RFC793] TO NAME THE

ENDS OF LOGICAL CONNECTIONS WHICH CARRY LONG TERM CONVERSATIONS. FOR THE PURPOSE OF PROVIDING SERVICES TO UNKNOWN CALLERS, A SERVICE CONTACT PORT IS DEFINED.” THE LIST PUBLISHED BY IANA “SPECIFIES THE PORT USED BY THE SERVER PROCESS AS ITS CONTACT PORT. THE CONTACT PORT IS SOMETIMES CALLED THE "WELL-KNOWN PORT".” 1

• PORT TYPES: TCP AND UDP (UNIVERSAL DATAGRAM PROTOCOL)

1: HTTP://WWW.IANA.ORG/ASSIGNMENTS/PORT-NUMBERS, LAST UPDATED 12/8/09

http://www.iana.org/assignments/port-numbers



• “WELL-KNOWN” SERVER PORTSSERVICE CLIENT PROGRAM SERVER PORT #

FTP ftp 21SSH ssh, scp, sftp, slogin 22TELNET telnet 23SMTP mailx, netscape 25HTTP netscape, mozila, 80

firefox, opera, konquerorPOP3 fetchmail 110

A COMPLETE LIST PORTS THAT UNIX LISTENS ON FOUND IN /etc/services


• CONNECTS TO NETWORK VIA NIC CARD (NETWORK INTERFACE CARD) – OFTEN CALLED “NIC CARD”

• CARD ASSIGNED AN IP ADDRESS.



• USED TO TEST CONNECTIVITY• PING SENDS 56 BYTE PACKETS TO REMOTE HOST

WHOSE NIC CARD ANSWERS BACK$ ping sodapopPING sodapop: 56 data bytes64 bytes from sodapop.brookdalecc.edu (172.17.1.243):

icmp_seq=0. time=0. ms64 bytes from sodapop.brookdalecc.edu (172.17.1.243):

icmp_seq=. time=0. ms64 bytes from sodapop.brookdalecc.edu (172.17.1.243):

icmp_seq=. time=0. ms64 bytes from sodapop.brookdalecc.edu (172.17.1.243):

icmp_seq=. time=0. ms^C--- sodapop PING statistics ---4 packets transmitted, 4 packets received, 0% packet loss

round trip (ms) min/avg/max/stddev = 0.010/0.031/0.006

TESTING CONNECTIVITY USING PING (cont’d)


• LOG IN TO A REMOTE MACHINE OVER AN IP NETWORK [telnet <ip_address>]

• USER ID AND PASSWORD TRANSMITTED IN CLEAR TEXT

• LOCAL MACHINE ACTS LIKE A DUMB TERMINAL: ECHOES TO TERMINAL WHAT IS SENT AND WHAT IS RECEIVED.

• “ESC_KEY” OR “CTL ]” – TEMPORARILY TRANSFERS USER TO LOCAL MACHINE. PROMPT CHANGES telnet >

$ telnet 127.0.0.1Trying 127.0.0.1...Connected to localhost.Escape character is '^]'.Trying SRA secure login:User (rjesmajian):

USE OF telnet FOR REMOTE LOGIN


• “esc_key” OR “ctl +]” – TEMPORARILY ENABLES USER TO RUN COMMANDS ON LOCAL MACHINE. PROMPT CHANGES telnet >

• USE “!” TO RUN COMMANDS ON LOCAL SYSTEM telnet > !ls –l *.sh

USE OF telnet FOR REMOTE LOGIN (cont’d)


Microsoft telnet>Microsoft Telnet> ctl+]Welcome to Microsoft Telnet ClientEscape Character is 'CTRL+]'Microsoft Telnet> ?/help Commands may be abbreviated. Supported commands are:c - close close current connectiond - display display operating parameterso - open hostname [port] connect to hostname (default port 23).q - quit exit telnetset - set set options (type 'set ?' for a list)sen - send send strings to serverst - status print status informationu - unset unset options (type 'unset ?' for a list)?/h - help print help informationMicrosoft Telnet> !ls –l ~/*.sh

USE OF telnet FOR REMOTE LOGIN (cont’d)


• SECURELY LOG IN TO A REMOTE MACHINE OVER AN IP NETWORK [ssh <RemoteMachineName>]

• DEVELOPED TO REPLACE telnet• USES PUBLIC KEY (ASYMMETRIC) CRYPTOGRAPHIC

ALGORITHMS TO GENERATE A MATHEMATICALLY RELATED PUBLIC-PRIVATE KEY PAIR

• KEY PAIR IS USED TO — ESTABLISH TRUST, I.E., AUTHENTICATE USER & HOST — ENCRYPT/DECRYPT PASSWORDS & DATA.

USE OF SECURE SHELL (ssh) FOR REMOTE LOGIN


• ENCRYPTION/DECRYPTION PROVIDES DATA CONFIDENTIALITY AND DATA INTEGRITY OVER AN INSECURE NETWORKo DATA EXCHANGED IS ENCRYPTED BY SENDER, AND

DECRYPTED BY RECIPIENT USING SESSION KEY. • MESSAGES & TRANSACTIONS CAN BE DIGITALLY

SIGNED BY ORIGINATOR TO PROVIDE DATA INTEGRITY AND AUTHENTICATIONo POPULAR ALGORITHMS USED TO GENERATE DIGITAL

SIGNATURES: RSA (INVENTED BY RIVEST, SHAMIR AND ADLEMEN) DSA (DIGITAL SIGNATURE ALGORITHM)

WHY NEED CRYPTOGRAPHY?


• 2 FORMS OF CRYPTOGRAPHYo SYMMETRIC – 1 SECRET KEY

ADVANTAGE: SIMPLE MATHEMATICAL ALGORITHMKEY DETERMINED BETWEEN 2

PARTIES DISADVANTAGE: KEY MANAGEMENT USE: MILITARY AND MOST MAJOR FIRMS

FOR INTERNAL COMMUNICATIONS

o ASYMMETRIC – 1 PUBLIC KEY AND 1 PRIVATE KEY ADVANTAGE: KEY MANAGEMENT DISADVANTAGE: COMPLEX MATHEMATICAL ALGORITHM

MUST SUBSCRIBE TO PUBLIC KEY ADMINISTRATOR SERVICE

USE: TELECOMS AND MOST MAJOR FIRMS FOR

EXTERNAL COMMUNICATIONS

WHY NEED CRYPTOGRAPHY? (cont’d)


WHY NEED CRYPTOGRAPHY?(SYMMETRIC CRYPTOGRAPHY)

Sender’sSecret Key

Sender’sSecret Key

• DATA PROTECTION (VIA SYMMETRIC ENCRYPTION).


WHY NEED CRYPTOGRAPHY?(ASYMMETRIC CRYPTOGRAPHY)

THE RECIPIENT’S SECRET KEY IS THE MATHEMATICAL INVERSE FUNCTION OF SENDER’S PUBLIC KEY.

• DATA PROTECTION (VIA ASYMMETRIC ENCRYPTION).


• MESSAGE AUTHENTICATION (VIA DIGITAL SIGNATURE).

WHY NEED CRYPTOGRAPHY?(DIGITAL SIGNATURES)(cont’d)



• ORIGINATING A DIGITAL SIGNATUREo A MESSAGE DIGEST (MD) IS GENERATED USING THE

SENDER’S PRIVATE KEY AND A MD CREATION ALGORITHM, I.E., A SET OF HASHING ALGORITHMS. • MESSAGE DIGEST = “SUMMARY” OF THE MESSAGE TO BE

TRANSMITTED.• MD’S MAIN PROPERTIES:

1. ALWAYS SMALLER THAN THE MESSAGE ITSELF2. THE SLIGHTEST CHANGE IN THE MESSAGE PRODUCES A

DIFFERENT DIGEST.• THE MESSAGE DIGEST IS ENCRYPTED USING THE SENDER'S

ASYMMETRIC PRIVATE KEY. THE RESULTING ENCRYPTED MD = THE DIGITAL SIGNATURE.

o ATTACH THE COMPUTED DIGITAL SIGNATURE TO THE MESSAGE & SEND.


• VALIDATING A DIGITAL SIGNATURE ON RECEIPTo USE THE SENDER'S PUBLIC KEY TO DECRYPT THE DIGITAL

SIGNATURE TO OBTAIN THE RECEIVED MD ASSUMED TO BE GENERATED BY THE KNOWN SENDER.

o USE THE SAME MD ALGORITHM USED BY THE SENDER TO GENERATE YOUR OWN MD OF THE RECEIVED MESSAGE.

o COMPARE THE 2 MD 1. IF EQUAL THEN MESSAGE IS UNALTERED & NOT FROM AN

IMPOSTER. 2. IF NOT EQUAL, DISCARD MESSAGE AS UNTRUSTWORTHY,

THE MESSAGE HAS BEEN TAMPERED WITH BY A THIRD PARTY.



• LOG IN TO A REMOTE MACHINE OVER AN IP NETWORK TO TRANSFER FILES [ftp <remoteMachineName>]• AUTHORIZED REMOTE USER

(USER’S SIGN-ON CREDENTIALS (USERID/PWD) KNOWN BY REMOTE SYSTEM)

• ANONYMOUS USER(USERID= anonymous, PWD=USER E-MAIL ADDRESS)

FILE TRANSFER PROTOCOL (FTP)


• UPLOADS & DOWNLOADS 2 TYPES OF FILES: ASCII (TEXT) & BINARY (ALL OTHER FILE ENCODINGS)ftp> binary200 Type set to Iftp> put photo1.gif

• PREFACE COMMANDS WITH “!” TO RUN COMMAND ON LOCAL MACHINE ftp> !pwd

FILE TRANSFER PROTOCOL (FTP)


• FTP COMMANDS FOR USE ON REMOTE SYSTEM:

FILE TRANSFER PROTOCOL (FTP)(CONT’D)

! cr get mdir nlist put rmdir tenex$ debug glob mget nmap pwd rstatus throttleAccount delete hash mkdir ntrans quit runique traceappend dir help mls open quote send typeascii disconnect idle mlsd page rate sendport umaskbell edit image mlst passive rcvbuf set unsetbinary epsv4 lcd mode pdir recv site usagebye exit less modtime pls reget size usercase features lpage more pmlsd remopts sndbuf verbosecd fget lpwd mput preserve rename status xferbufcdup form ls mreget progress reset struct ?chmod ftp macdef msend prompt restart suniqueclose gate mdelete newer proxy rhelp system


• TO UPLOAD FILES ONTO REMOTE SYSTEM USE put OR mputo put - UPLOADS ONE FILE AT A TIME

ftp> binary200 Type set to I.ftp> put photo1.gif

o mput - UPLOADS ONE OR MORE FILES AT A TIMEftp> binary200 Type set to I.ftp> mput photo*.gifftp> ascii200 Type set to A.ftp> mput mo*.sh



• TO DOWNLOAD FILES FROM A REMOTE SYSTEM USE get OR mget.o get COMMAND DOWNLOADS ONE FILE AT A TIME

ftp> binary200 Type set to I.ftp> get photo1.gif

o mget DOWNLOADS ONE OR MORE FILES AT A TIMEftp> binary200 Type set to I.ftp> mget photo*.gif



• NORMALLY, prompt AND hash ARE INVOKED IMMEDIATELY BEFORE get AND mgeto prompt

MAKES get AND mget BEHAVE NON-INTERACTIVELY, IF THE INTERACTIVE MODE WAS ACTIVE. ftp> promptInteractive mode off.ftp>

o hash EACH TIME A BLOCK OF DATA IS TRANSFERRED A “#” TO BE

PRINTED.ftp> hashHash mark printed on (1024 bytes/hash mark).ftp>


Documents

Unix Comp-145 L ECTURE 11: U NIX ’ S N ETWORKING T OOLS B ASED ON : S. D AS, “Y OUR U NIX : T HE ULTIMATE G UIDE ”, 2 ND E DITION, M C G RAW H ILL, 2006